No. Under the HIPAA regulations, a provider (such as a health facility) and health plans (such as Medi-Cal) may use or disclose PHI (Protected Health Information) without patient authorization for treatment, payment and health care operations (45 Code of Federal Regulations, §164.502). Payment is broadly defined to mean activities undertaken by a health care provider or health plan to obtain or provide reimbursement for the provision of health care (45 Code of Federal Regulations, §164.501). HIPPA rules make it clear that a covered entity (such as a health facility) may disclose PHI to another covered entity (such as Medi-Cal) for the payment activities. Therefore, under HIPAA, covered entities may submit claims to the Medi-Cal program without PHI restrictions. The Business Associate Agreement is required when a provider or health plan contracts with a separate organization to perform a function using PHI on behalf of the provider or plan (45 Code of Federal Regulations, §160.103). For example, a Business Associate Agreement would be needed if an outside organization is contracted to perform billing for a provider.